RPMs and CVEs

From Brandonhutchinson.com

Vulnerability Assessment (VA) tools commonly flag services on our Red Hat systems as potentially vulnerable based on the services' versions alone. Since Red Hat backports security fixes into its packages, the packages may already be patched to address the vulnerabilities. Note that VA tools that support the Open Vulnerability and Assessment Language (OVAL) can determine the status of vulnerabilities even with backported fixes.

VA tools often refererence vulnerabilities by their Common Vulnerabilities and Exposures (CVE) number. One of the easiest ways to determine if a Red Hat package is patched for a particular CVE is to examine the package's changelog.

$ rpm -q package --changelog | egrep "(CAN|CVE)-"

Note that starting on 2005/10/19, the CAN- prefix is no longer used for candidate CVE entries. It should be included in the above search for any 2005 or earlier CVE's.